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(54) Abstract Title 

Timed-release cryptography 



(57) In a method by which a first computing entity can verify to a second computing entity that a value a(f) 
provided by the first computing entity to the second computing entity is a member of the language, Ha,tn) 
where 

Ha,t,n) = {(a / ta 2f (modn)|f < n, gcd{a,n) = 1), where n is an odd composite integer having two distinct prime 
factors, a e Zn 9 of the full order and t < n, the first computing entity sends a set of values to the second 
computing entity during a run of a procedure of a plurality of rounds, each round being carried out by the first 
and second computing entities with respect to three of said series of values, denoted a, x, y, and in which 
round the first computing entity proves to the second computing entity by way of a proof that there exists a k 
for which x = a 2 * (modn) and y = a (2W2 (modn), and which proof defines a new set of three values of the series 
by defining k= xif k in the current round is even or y= Vx(modn) if A: in the current round is odd, this round of 
steps being successively repeated until the new set of values defined by a round of steps satisfy x= a^modn). 
The protocol according to the present invention proves, in log 2 f standard crypto operations the correctness of 
{a*) (modn) with respect to a 6 where e is an RSA encryption exponent. With such a proof a Timed-release 
RSA Encryption of a message M can be given as a 2f M(modn) with the assertion that the correct decryption of 
the RSA ciphertext MP (modn) can be obtained by performing t squarings modulo n starting from a. 
Timed-release RSA signatures can be constructed analogously. 
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Membership^, t, aft), n) 

Abort and reject if any checking by Bob fails, or accept upon termination. 



Alice 



While />1 do 



While / > 

t def 
if/isodd:y = a(t-l); 

x^ f a([t/2]); 

Sends x,y to Bob; 



u = a(0; 



Bob 
? ? 
u C / + (n); a £±u (mod w ) 



on * ) 



Receives x,y from Alice; 

x,y € /+(n); ? 

if / is odd: y 2 = u (mod n ); 



•52(3. x, y, n); 

def 
u = x; 

def 

t = [t/2]; 



^.5 



WJien t=l; 
u=a 2 (mod /i); 



£g(a, x,y, n) 

Input Common: n: an RSA modulus with a safe-prime structure; 

a € 2£: an element of the full-order 2/>V =0(n)/2 (so a 4 ± l(mod /i): 
x, y € 7+ (n): x £ ±y (mod /i); 
Alice: 2: x e ±a z (mod «). y = ia z (mod n)x 

1. Bob chooses at random r < n. s < n and sends to Alice: C= a r r 1 (mod /1 ): 

de* 

2. Alice sends to Bob: R = C (mod n): 

3. Bob accepts if R s x r y 5 (mod or rejects otherwise. 
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B 



Verify n is an odd composite 
of two district primes to a 
desired confidence level 



Verify a € Zj of the full order 



Verify a(t) € < (a, t, n) 



Fig. 5 
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B 



Form RSA cypertext 
m e (modn) m<n 



■ 602 



Send m e (modn) to B 



.604 



Form a(t) = 
Form a(t) e 


,t 

a (modn) 




a 4 ± 1 (modn) 



■606 



608 



Form TE (m,t) = 


= a(t) m (modn) 






Send (TE(m,t), a e (€), e, a, t, n) 
toB 



610 



612 



Verify a e (t)€<(a e , t, n) 



Fig. 6 



6H* 



Verify TE(m,t) e = a e (t)m e (modn) 
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B 



Form RSA signature 
m e (modn) m< n 



-702 



Send m e (modn) to B 



Form a(t) = 


,t 

a (modn) 


Form a e (t) 




a 4 * 1 (modn) 



-706 



Form TS (m,t) = 


= a(t)m d (modn) 






Send (TS(m,t), a e (t) , e, a, t, n) 
toB 



-708 



-710 



712 



Fig. 7 



7U- 





Verify a e (t)€<(a e ,t, n) 












Verify TE(m,t) e 5 


sa e (t)m e (modn) 
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The present invention relates to timed-release cryptography. 
Pwkgrcwid of the Invention 

1 General Considerations 

Let n be a large composite natural number. Given t < n and gcd(a,n) = 1, without 
factoring n 9 the validation of 

X ^(modw) (1) 

can be done in / squarings mod n. However if (Euler's phi function of n) is known, 
then the validation can be completed in (?(logn) multiplications via the following two 
steps: 

U = 2* (mod fin)) [definition], (2) 
X = a" (mod n) [definition], (3) 

For t <£ n (eg, n > 2 im and / < 2 100 ) it can be anticipated that factoring of n (and hence 
computing $n) for performing the above steps) will be much more difficult than 
performing / squarings. Under this condition we do not know any other method which, 

without using the factorisation information of w, can compute a 2 ' (mod n) in time less 
than t squarings. Moreover, because each squaring can only be performed on the result 

I 
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of the previous squaring it is not known how to speedup the t squarings via parallelisation 
of multiple processors. Parallelisation of each squaring step cannot achieve a great deal 
of speedup since a squaring step only needs a trivial computational resource and so any 
non-trivial scale of parallelisation of a squaring step is likely to be penalised by 
communication delays among the processors. 

These properties suggest that the language 

L(aj,n)= {(a,t a* mod n)\t<n,gcd(a,n)= 1} (4) 

forms a good candidate for the realisation of timed-release crypto problems. Rivest, 
Shamir and Wagner pioneered the use of this language in a time-lock puzzle scheme [1 1]. 
In their scheme a puzzle is a triple (t,a,n) and the instruction for finding its solution is to 
perform t squarings mod n starting from a which leads to a 1 ' (mod n). A puzzle maker, 
with the factorisation knowledge of n, can construct a puzzle efficiently using the steps in 
(2) and (3) and can fine tune the difficulty for finding the solution by choosing t in the 
vast range. For instance, the MIT Laboratory for computer Science has implemented the 
time-lock puzzle of Rivest el al into "The LCS35 Time Capsule Crypto-Puzzle" and 
started its solving routine on 4 th April 1999. It is estimated that the solution to the LCS35 
Time Capsule Crypto-Puzzle will be found in 35 years from 1999, or on the 70 years 
from inception of the MIT-LCS [10]. 
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l.l Applications 



Various applications have been proposed which utilize such properties. Boneh and Naor 
used a subset of L{a t t f n) (details to be discussed in section 1.2) and constructed a timed- 
release crypto primitive which they called "timed commitments" [3]. Besides several 
suggested applications they suggested an interesting use of their primitive for solving a 
long-standing problem in fair contract signing. A previous solution (due to Damgard [6]) 
for fair contract signing between two remote and mutually distrusted parties is to let them 
exchange signatures of a contract via gradual release of secrets. A major drawback with 
that solution is a weak fairness. Let us describe this weakness by using, for example, a 
discrete-logarithm based signature scheme. A signature being gradually released relates 
to a series of discrete logarithm problems with the discrete logarithm values to have 
gradually decreasing magnitudes. Sooner or later before the two parties completes their 
exchange, one of them may find himself in a position of extracting a discrete logarithm 
which is sufficiently small with respect to his computational resource. It is well-know 
(eg, the work of Van Oorschot and Wiener on the parallelised rho method [12]) that 
parallelisation is effective for extracting small discrete logarithms. So the resourceful 
party (eg, affordable with vast parallelisation) can abort the exchange at that point and 
wins an advanced position unfairly. Boneh and Naor suggested to seal signatures under 
exchange using elements in L(a,t,n). Recall the aforementioned non-parallelisable 
property for re-constructing the elements in L{a,t,n\ a roughly equal time can be imposed 
for the both parties to open the sealed signatures regardless of their (maybe vast) 
difference in computing resources. In this way, they argued that a strong fairness for 
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contract signing can be achieved. (However, as will be discussed in section 1.2, they did 
not solve the problem at all due to the absence of a verifiability.) 

Applications suggested by Rivest et al [1 1] include: 

A bidder in an auction wants to seal his bid so that it can only be opened after the bidding 
period is closed. 

A homeowner wants to give his mortgage holder a series of encrypted mortgage 
payments. These might be encrypted digital cash with different decryption dates, so that 
one payment becomes decryptable (and thus usable by the bank) at the beginning of each 
successive month. 

A key-escrow scheme can be based on timed-release crypto, so that the government can 
get the message keys, but only after a fixed, pre-determined period. 

An individual wants to encrypt his diaries so that they are only decryptable after fifty 
years (when the individual may have forgot the decryption key). 

1.2 Previous Work and Unsolved Problems 

With the nice properties of L(a,t,ri) a person is only half way through to the realisation of 
timed-release cryptography. In most imaginable applications where timed-release crypto 
may play a role, it is necessary for a problem constructor to prove (ideally in zero- 
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knowledge) the correct construction of the problem (eg without a correctness proof, the 
strong fairness property of the fair exchange application is absent). 

From the problem's membership in NP we know that there exists a zero-knowledge proof 
for a membership assertion regarding language L{a t t 9 n). Such a proof can be constructed 
via a general method (eg, the work of Goldrich et al [8]). However, the performance of a 
zero-knowledge proof in a general construction is not suitable for practical use. By the 
performance for a practical use is meant an efficiency measured by a small polynomial in 
some typical parameters (eg, the bit length of n). To the applicant's knowledge, there 
exists no practically efficient zero-knowledge protocols for proving a general case of 
membership in L(a,t,n) and say so with awareness of the work of Boneh and Naor of 
"timed commitments" [3]. 

Boneh and Naor constructed a practically efficient protocol for proving membership in a 
subset of L(a,t,n) where t = 2* with k being natural numbers. The time control that this 
subset can offer is in the granularities of powers of 2. These granularities are too coarse. 
Boneh and Naor envisioned k e [30, ...,50] for typical cases in applications. While it is 
evident that k decreasing from 30 downwards will quickly trivialise a timed-release 
crypto problem as 2 30 is already at the level of a small polynomial in the secure bit length 
of n (usually 2 10 ), a k increasing from 30 upwards will harden the problem in such 
increasingly giant steps that imaginable services (eg, the strong fairness for gradual 
disclosure of secret proposed in [3]) will quickly become unattractive or unusable. 
Taking the LCS35 Time Capsule for example, suppose that the 35-year-opening-time 
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capsule is in that subset (so the correctness can be efficiently proved with their protocol), 
then the only other elements in that subset with opening times close to 35 years will be 
that of 17.5 years and that of 70 years, respectively. 

Further to the problem of coarseness in time control, the correctness of a timed 
commitment in [3] (and that of other timed-release crypto primitives proposed in the 
same paper) depends on the honesty of the committer (the person who has constructed a 
timed commitment). In [3] a timed commitment for committing M is as follows: first u = 
e Lfy2 k ,n) is proven; then, bit-by-bit, the bits of M are xor-ed to the successive square 
roots of u modulo n. So when u is uncovered from 2* squarings modulo n starting from 
a, all those square roots have been uncovered and M is thereby de-committed. However, 
no proof whatsoever was available for the committer to show the correct xor-ing of the 
hidden bits of M to the hidden square roots of u. In absence of a correctness proof, such a 
construction cannot be regarded as a commitment in a cyrptographic sense. 

Neither did the Time-Lock puzzle work of Rivest et al[ll] provided a method for 
showing the correct construction of a timed-release crypto problem. 

1.3 The Present Invention 

The present invention, in a first aspect, provides a method by which a first computing 
entity can verify to a second computing entity that a value a(t) provided by the first 

6 
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computing entity to the second computing entity is a member of the language, L(a,t,n) 
where L(a,t t n) = {(a,t, a* (mod/i)|/ < n, gcd(a t n) = 1), where n is an odd composite 
integer having two distinct prime factors, a e Zn n of the full order and / < «, the method 
comprising: 

the first computing entity sends a set of values to the second computing entity 
during a run of a procedure of a plurality of rounds, each round being carried out by the 
first and second computing entities with respect to three of said series of values, denoted 
a, x t y, and in which round the first computing entity proves to the second computing 

entity by way of a proof that there exists a k for which x = a (mod*) and y 
= cr ' (mock), and which proof defines a new set of three values of the series by 
defining y = x if k in the current round is even ory = yfx (modrt) if k in the current round 
is odd, 

this round of steps being successively repeated until the new set of values defined 
by a round of steps satisfy x = a 2 (modn). 

The first computing entity (also "Alice" or "A") can readily calculate the values a , 
a etc by virtue of secret knowledge of <f> (n) and equations (2) and (3) and so produce 
the required values. This allows Alice to readily send the required series of values, which 
includes the above set of values, from which the second computing entity ("Bob" or "B") 

can verify, from the fact the last value in the series is a (ie a ) that value a(t) is of the 
form a 2 ' and so a member of the language L(a t t,n). 

7 
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In this way Bob can verify the continuity of the chain of values in the set from 

a(/)(= a 2 ' ) to a\=a lX ) as sent by Alice as each value in the set is of the form a 2 ' , for 

same k y and is verifiably followed by the value a , k odd, or k ,k even, until ar 
is reached. 

The zero-knowledge proof that each value received is equal to a value a may be 

based on a knowledge of a value a 2 * comprises the first computing entity selecting a 

value zvc s ± cf(modn) 9 y s ± a* 1 (mod*), the second computing entity choosing at 
random r<n,s<n and sending the value C = oV(mod«) to the first computing entity, 
the first computing entity sending to the second computing entity the value R = 
C(modn), and the second computing entity accepting the verification if, and only if, the 
received value R = ^(mod/i). 

A method according to the present invention may include the computer implemented first 
step of verifying by data exchanges between the computing entities that n is an odd 
composite of two distinct primes to a desired confidence level, and/or that the computer 
implemented step of verifying a e Z* of the full order. 

The present invention in a second aspect provides a method by which a computing entity 
can provide that an RSA ciphertext Al^mod/i) of a message M < n provided to another 
computing entity is verifiably decryptable in time t y where n = p.q, p and q being two 



8 



10/12/2006, EAST Version: 2.1.0.14 



distinct odd primes and e is relatively prime to #(n\ the method comprising the 
computer implemented steps of: 

a) forming a(t) = a 2 ' (mod n) and a\t) = (a(/)) e (modn), a not s 
± l(mod/i) and being a random element in Z* ; 

b) forming r£(A/,0 = a{t) M(mod7i)> 

c) sending the tuple (TE(M,t), a\t) y e,a,t,n) to the other computer entity. 

This method may include the other computing entity on receiving the tuple from the 
computing entity verifies that the RSA ciphertext m(mocto) is decryptable from TE(M,t) 
in time / by confirming a\t) e L(a e ,t,n) by a method according to the first aspect of the 
present invention and by confirming TE(M,t) e = a e (t)Af(modn). 

The present invention in the third aspect provides a method by which a computing entity 
can provide that an RSA signature A/^modw) on a message M < n provided to another 
computer entity is verifiably releasable in time t 9 where n = p.q,p and q being distinct 
odd primes and d is relatively prime to ^(n), the method comprising the computer 
implemented steps of : 

a) forming a(t) = a* (mod/i) and a e {t) = (a(r)) c (modrt); a not a ± l(modn) and being 
a random element in Z* ; 

b) forming TS{M f t) = a(f)M*(mod7i); 

c) sending the tuple (M f TS{m,t\ a e {t),e,a,t,n) to the other computing entity. 
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This method may include the other computing entity on receiving the tuple from the 
computing entity verifies that the RSA signature A^mod/?) can be obtained from TS(M,t) 
in time / by confirming a\t) e L(a e ,t,ri) by a method according to the first aspect of the 
present invention and by confirming TE(M,t) e = a*(t)Af(modn). 

The present invention in a fourth aspect provides a computing entity comprising: a data 
processing equipment, a memory; and a communications equipment, said data processing 
equipment being configured so as to be capable of processing data according to a set of 
instructions stored in said memory; said communications equipment configured so as to 
communicate data according to said set of instructions; said set of instructions being such 
as to configure the computing entity to be capable of carrying out the computer 
implemented steps of any of the methods of the first aspect of the present invention and 
in a fifth aspect to a system of co-operating such computing entities, which computing 
entities may be part of a communication system and which are able to exchange data by 
way of a communications medium, and in which said communications medium includes 
one or more of any of the internet, local area network, wide area network, virtual private 
circuit or public telecommunications network. 

The present invention in a sixth aspect computer storage medium having stored thereon a 
computer program readable by a general-purpose computer, the computer program 
including instructions for said general purpose computer to configure it to be as any 
computing entity according to the present invention. 
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The present invention in all its various aspects, is based on the provision of a practical 
zero-knowledge proof protocol for demonstrating the membership in L(a t t,ri) which runs 
in logtf steps each an exponentiation modulo n, or 0(log2)(log2rt) 3 ) bit operations in total. 
This efficiency suits practical uses. The membership demonstration can be conducte in 
terms of (a*) 2 ' (mod*) e L{a e ,t t n) on given a and a e where e is an RSA encryption 
exponent. Then we are able to provide two timed-release crypto primitives, one for timed 
release of a message in RSA encryption, and the other for timed release of an RSA 
signature. In the former, a message M can be sealed in a 2 ' Af(modw) and the established 
membership asserts that the correct decryption of the RSA ciphertext Af(modn) can be 
obtained by performing t squarings modulo n starting from a. The latter primitive can be 
constructed analogously. 

The schemes of the present invention provide general methods for the use of timed- 
release cryptography. 

Embodiments of the best mode invention contemplated by the applicant will now be 
described, by way of example only, with reference to the accompanying drawings of 
which: 

Figure 1 is a schematic diagram of a system of co-operating computing entities 
according to the present invention; 
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Figure 2 is a schematic diagram of the computing entities of the system of 
computing entities of Figure 1; 

Figure 3 is a pseudo-code description of the method of verifying a(t) e L(a,/,/j) of 
the present invention; 

Figure 4 is a pseudo-code description of a verification method useful with the 
method of Figure 3; 

Figure 5 is a flow chart of the additional verification steps useful with the present 
invention; 

Figures 6 and 7 are flow charts of applications of the method according to the 
present invention. 

1. Detailed Description of the Embodiments 

In the following description numerous specific details are set forth in order to provides a 
thorough understanding of the present invention. It will be apparent however, to one 
skilled in the art, that the present invention may be practiced without limitation to these 
specific details. In other instances, well-known methods and structures have not been 
described in detail so as not to unnecessarily obscure the present invention. 

12 
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Referring to Figure 1, there is illustrated schematically two computing entities 102, 104, 
configured for communicating electronic data with each other over a communications 
network, in this case the internet 106, by communicating data 108, 1 10, to each other via 
the internet 106 in well know manner. Illustrated in Figure 1 is first computing entity 
102, herein after referred to as entity A or Alice, a second computing entity 104 herein 
referred to as entity B or Bob. In the example illustrated in Figure 1, the first and second 
computing entities 102 and 104 are geographically remote from each other and the 
communications network comprises the known internet 106. In other embodiments and 
implementations of the present invention the communications network could comprise 
any suitable means of transmitting digitized data between the computing entities. For 
example, a known Ethernet network, local area network, wide area network, virtual 
private circuit or public telecommunications network may form the basis of a 
communications medium between the computing entities 102 and 104. 

The computing entities 102 and 104 have been programmed by storing on memories 203 
and 205 programs read from computer program storage media 1 12 and 1 14, for example 
a CD-ROMs. 

Referring now to Figure 2, there is illustrated schematically physical resources and 
logical resources of the computing entities A and B. Each computing entity comprises at 
least one data processing means 200, 202 a memory area 203, 205, a communications 
port 206, 208 for communicating with other computing entities. There is an operating 
system 209, 2 1 1 , for example, a known Unix operating system. One or more applications 
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programs 22, 214 are configured for operating for receiving, transmitting and performing 
data processing on electronic data received from other computing entities, and 
transmitted to other computer entities in accordance with specific methods of the present 
invention. Optionally there is a user interface 215, 217 which may comprises a visual 
display device, a pointing device, eg. a mouse or track-ball device, a keypad, and a 
printer. 

Under control of the respective application program 212, 214 each of the computing 
entities 102, 104 is configured to operate according to a method of the present invention, 
specific embodiments of which will now be described. 

Referring now to Figure 3, there is shown a pseudo-code flow description of the steps of 
an embodiment of the present invention by which a computing entity (B, Bob) may 
determine whether a{t) e L(a,t,n) and which is described in more detail at following 
section 4.2. 

Bob has received the values a,t,a(t\n and it is assumed that Alice and Bob have agreed 
on n being of suitable prime factor structure. At the start of the "membership" procedure 
U is defined as equal to a(t) and Bob verifies that Ue J+(n) and that a is not s 
± C/(mod«). 

Alice sets y to U and determines whether / is odd or even. If t is even Alice calculates x = 
a(t/2) and sends the values x and y to Bob. If / is odd, Alice sets / to M, sets y to a(t-l) 
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and calculates x + a((M)/2) (ie a(k) where k = the integer portion of til) and sends these 
values to Bob. 

In each case (t was odd or even) Bob verifies x, y e J+(n) and in the case t was odd 
verifies that/ is a a(modn). 

Alice and Bob then enter into a data exchange SQ{a,x,y,n\ to be described in more detail 
with reference to Figure 4 by which Alice verifies to Bob that there exists an x such that x 

is s ^(modn) andj> is s a* (mod/?). Thereafter n is redefined as the current value of til. 
If t = 1 the membership procedure terminates and Bob verifies that U is e a\modn) 

thereby verifying that a(i) is of the form a* . If / > 1, then Alice calculates the next value 
of x in the series to send to Bob. 

Referring now to Figure 4, there is shown a pseudo-code description of an SQ procedure 
mentioned above. Bob has values a and «, as well as values x and y supplied by Alice. 
Bob chooses values r and s and random / < n and s < n y calculates the value 
C = aY(mod/0 and sends this value to Alice. Alice then calculates the value 

R = C(modn) where z is such that x is s ±a*(mod/j) and y is ■ a* 2 (mod*). Bob 
accepts the verification of T = //(modw) and rejects it otherwise. 

Referring to Figure 5, there is shown a flow chart of a method of the present invention in 
which at step 502, B verifies that n is an odd composite of two distinct primes to a 
desired confidence level, then at step 504 verifies ae Z* of the full order before 
proceeding to verify, with the co-operation of Alice, that a{t) e L(a t t,n) at step 506. 

15 
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Figure 6 is a flow chart of a method by which a computing entity can provide that an 
RSA ciphertext Af(mocto) of a message M< n provided to another computing entity is 
verifiably decryptabie in time U where n = p.q t p and q being two distinct odd primes and 
e is relatively prime to ^(«), the method comprising the computer implemented steps of: 

a) forming a(t) = a* (mod/0 and a\t) = (a(t)) e (modn) y a not s ± l(mod/i) and 
being a random element in Z* ; 

b) forming 7E(A/ f r) = a{t) M(mo<to), 

c) sending the tuple (TE(M,t) y a\t\ e,a t t t n) to the other computer entity. 

The other computing entity on receiving the tuple from the computing entity verifies that 
the RSA ciphertext m(modn) is decryptabie from TE{M,t) in time / by confirming a € (t)e 
L(a e t t,n) by the method of the first aspect of the present invention and by confirming 
TE(M f t) e = a e (t)Af(mo6ny 

Figure 7 is a flow chart of a method by which a computing entity can provide that an 
RSA signature A^(mod/i) on a message M < n provided to another computer entity is 
verifiably releasable in time /, where n = p.q, p and q being distinct odd primes and d is 
relatively prime to $(n) y the method comprising the computer implemented steps of: 

a) forming a(t) = a 2 ' (mod/i) and a\t) = (a{t))\modn)\ a not s ± l(modn) and being 
a random element in Z* ; 

b) forming TS(Mj) = a(^(modw); 

c) sending the tuple (Af, TS(m,t\ a e (t),e,a,t,n) to the other computing entity. 
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The other computing entity on receiving the tuple from the computing entity verifies that 
the RSA signature A^mod/i) can be obtained from TS(M,t) in time t by comlnning a\t) 
e L(a e ,t,n) by the method of the first aspect of the present invention and by <»nfirming 
TE(M,(f s a\t)hf(modn). 
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1.4 Organisation 

In the next section we agree on notations to be used in the paper. In Section 3 we construct 
general methods for timed-release cryptography based on proven membership in L(a>tn). In 
Section 4 we construct our membership proof protocol working with an RSA modulus of a safe- 
prime structure. In Section 5 we generalise our result to working with any odd composite modulus 
which is difficult to factor. 

2 Notation 

Throughout the paper we use the following notation. Z n denotes the ring of integers modulo n. 
Z* denotes the multiplicative group of integers modulo n. <f>(n) denotes Eulcrs phi function of 
n, which is the order, i.e., the number of elements, of the group Z*. For an element a € Z* x , 



10/12/2006, EAST Version: 2.1.0.14 



Order n (a) denotes the multiplicative order modulo n of o, which is the least index i satisfying 
o' = l(modn): (a) denotes the subgroup generated by a; (2) denotes the Jacobi symbol of x 
mod n. We denote by J + (n) the subset of Z* containing the elements of the positive Jacobi 
symbol. For integers ft, 6, we denote by gcd(a,b) the greatest common divisor of a and b, and 
by lcm(a,b) the least common multiple of a and b. For a real number r, we denote by [rj the 
floor of r, i.e., r round down to the nearest integer. For an event E, we denote by Pr[E] the 
probability for E to occur. 

3 Timed-Release Crypto with Membership in L(a, t, n) 

Let Alice be the constructor of a timed-release crypto problem. She begins with constructing a 
composite natural number n = pq where p and q are two distinct odd prime numbers. Define 

a[t) = / o 2 '(modn), (5) 

« e W^(c(t)r(modn), (6) 

where e is a fixed natural number relatively prime to <f>{n) (in the position of an RSA encryption 
exponent), and a ^ ±1 (modn) is a random element in Z*. Alice can construct a(t) using the 
steps in (2) and (3). 

The following security requirements should be in place: n should be so constructed that 
Order m (2) is sufficiently large, and a should be so chosen that Order n (a) is sufficiently large. 

In the remainder of this section, we assume that Alice has proven to Bob, the verifier, the 
following membership status (using the protocol in §4): 

a e {t)€L(a e Xn). (7) 

Clearly, this is equivalent to another membership status: 

a(t) € L(a,Ln). 

However in the latter case «(t) is (temporarily) unavailable to Bob due to the difficulty of ex- 
tracting the p-th root (of o e (/)) in the RSA group. 

3.1 Timed-release of an RSA Encryption 

For message M < n, to make the RSA ciphertext A/ e (modn) decryptable in time r, Alice can 
construct a "timed encryption": 

TE(M t t) f a {t)M (mod n) . (8) 

Let Bob be given the tuple (235(A/,<),a c (i),e,o,r,n) where a e (t) is constructed in (5) and 
(6) and has the membership status in (7) proven by Alice. Then from the relation 

TE(M,t) e = a e (t)M e (modn), (9) 
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Bob is assured that the plaintext corresponding to the RSA ciphertext A/ e (modn) can be ob- 
tained from TE(M,t) by performing t squarings modulo n starting from a. 

Remark As in the case of a practical public-key encryption scheme, M in (8) should be ran- 
domised using a proper plaintext randomisation scheme designed for providing the semantic 
security (e.g., the OAEP scheme for RSA [1]). 

3.2 Timed-release of an RSA Signature 

Let e, n be as above and d satisfy ed = 1 (mod <f>(n)) (so d is in the position of an RSA signing 
exponent). For message M < n (see Remark below), to make its RSA signature M d (modn) 
releasable in time t, Alice can construct a "timed signature": 

TS(M, t) =' a(t)M d (mod »). (10) 

Let Bob be given the tuple (M,7$(M,£).a e (*),e.a, t t n) where a e (t) is constructed in (5) and 
(6) and has the membership status in (7) proven by Alice. Then from the relation 

TS{M y t) e = a e (t)M (mod n), (11) 

Bob is assured that the RSA signature on M can be obtained from TS{M, t) by performing t 
squarings modulo n starting from a. 

Remark As in the case of a practical digital signature scheme, M in (10) should denote an 
output from a secure one-way hash function. We further require that the output is in J+(h). A 
random padding scheme should make this happen with probability 0.5. 

3.3 Security Analysis 

3.3.1 Confidentiality of M in TE(M, t) 

We assume that Alice has implemented properly our security requirements on the large mag- 
nitudes of Ordtr^ n) (2) and Order n {a). Then we observe that the mapping from a e to a e {t) is 
random (which follows the Blum-Blum-Shub random sequence generator [2]) in a large subset 
of the quadratic residues modulo n. Thus, given the difficulty of extracting the e-th root of a 
random element in the RSA group, a successful extraction of a(t) from a e (t) will constitute a 
grand breakthrough if it is done at a cost less than t squarings modulo ?i. 

The above part of the argument (i.e., difficulty of finding a{t) from a e (t)) will also apply to 
the security analysis in §3.3.3. 

Next, we observe that our scheme for encrypting M € Z* inside TE(M 1 1) is a trapdoor one- 
way permutation (from Z* to a subset of it) since the transformation is to multiply, modulo n, 
the message M to the trapdoor secret a(t). Thus, well-known plaintext ranomisation schemes 
which have been proposed for achieving the semantic security for trapdoor-one- way-permutation- 
based cryptosystems (e.g., OAEP for RSA [1]) can be applied to our plaintext message before the 
permutation and thereby achieve the message confidentiality properties that such a randomisation 
scheme offers (against various passive or active attacks). 
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3,3.2 Unforgeability of M d in TS(M, t) 



Recall that M here denotes an output from a secure one-way hash fiinction before signing in 
the RSA way. The unforgeability of M d in 75(M,*) directly follows that of M d (mod n) given in 
clear. 

Likewise, the randomness of a e (t) ensures that of 72>(M,*) e . Thus the availability of the 
pair (TS{M y t)> TS(M f t) c ) does not constitute a valid signature of Alice on anything since this 
availability is equivalent to that of (x y x c ) which can be constructed by anybody out of using a 
random x. 

3.3.3 Indistinguishability of M d in TS(M, t) 

The indistinguishability is the following property: with the timed-release signature on M avail- 
able at hand and with the proven membership a c {t) € L(a e ,t,n), but without going through t 
squarings mod ?i, Bob must, not be able to show to a third party that the data he possesses form 
a signature of Alice on Af . The holding of this property is shown below. 

Let M G J+{n) be any message of Bob's choice (e.g.. M d becomes available to him from a 
different context). We have 

TS{M,t) = a{t)M d = a{t) = aM d {mod n). 

So the third party faces to decide which of M d or M d is sealed in TS(M t t). This boils down 
to deciding if a{t) £ L{aXn) or a € £(a,t,n) (both are in J+(n)). Even by making a(t) and 
a available to the third party (and hence M d and M d become available too), without having 
viewed the membership proof protocol run between Alice and Bob, a correct decision will form 
a grand breakthrough if it is done at a cost less than t squarings mod n. We should emphasise 
the following point: even though the availability of M d and M d allows one to recognise that the 
both to be Alice's valid signatures, without verifying the membership status, one is unable to 
tell if any of the two has any connection with TS{M,t) at all. 

4 Membership Proof with Safe-Prime-Structured Modu- 
lus 

Let Alice have constructed her RSA modulus n with a safe-prime structure. This requires n = pq> 
pf = (p - i)/2, cf as (q - l)/2 where p, q> p' and q f are all distinct primes of roughly equal size. 
We assume that Alice has proven to Bob in zero-knowledge such a structure of n. This can be 
achieved via using, e.g., the protocol of Camenisch and Michels [4]. 1 
Let a € Z* satisfy 

ffcrf(a±l,n) = l, (12) 

1 Due to the current difficulty of zero-knowledge proof for a safe-prime-structured RSA modulus, we recommend 
to use the protocol in section 5 which works with any odd composite modulus provided it is difficult to factor. 
Section 4 merely serves a preparation purpose for Section 5. 
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SQ{a,x y y y n) 

Input Common: n: an RSA modulus with a safe-prime structure: 

an element of the full-order 2pfq' = ^(n)/2 (so a £ ±1 (mod rc): 
y € J+(n): x ±y (mod n); 
Alice: z: x = ±a 5 (mod rc), # = ±a z2 (mod n); 

1. Bob chooses at random r <n,s<n and sends to Alice: C = 7 aV(mod n); 

2. Alice sends to Bob: R d M C*(mod n); 

3. Bob accepts if R = a^y* (mod n), or rejects otherwise. 



Figure 1: Building Block Protocol 

© = - (13) 

It is elementary to show that c satisfying (12) and (13) has the full order 2jf(f. The following 
lemma observes a property of a. 

Lemma 1 Let n be an RSA modulus of a safe-prime structure and a e Z* n of the full order. 
Then for any x € £*, either x € (o) or -x € (a). 

Proof It's easy to check -1 £ (a). So (a) and the coset (-l)(a) both have the half the size 
of Zl yielding Z' n = (a) U (-l)(a). Any x e Z* is either in (a) or in (-l)(a). The latter case 
means -x € (a). ' ' D 

4.1 A Building Block Protocol 

Let Alice and Bob have agreed on n (this is based on Bob's satisfaction on Alice's proof that n 
has a safe-prime structure). 

Figure 1 specifies a perfect zero-knowledge protocol for Alice to prove that for a,x,y 6 Z* 
with n of a safe-prime structure, a of the full order, and x, y € J+(n), they satisfy (note, ± below 
means either + or -, but not both) 

3z : x = ±<r(mod n), y = ±a 2 *(niod ?i). (14) 

Alice should of course have constructed a y x,y to satisfy (14). She sends a,x,y to Bob. 

Bob (has checked n of a safe-prime structure) should first check (12) and (13) on a for its 
full-order property (the check guarantees a $ ±1 (modn)); he should also check x,y € J + (n). 
Remark For ease of exposition this protocol appears in a non zero-knowledge format. However, 
the zero-knowledge property can be added to it using the notion of a commitment function! 
Instead of Alice sending R in Step 2, she sends a commitment commit{R), after which Bob 
reveals r and s; this allows Alice to check the correct formation of C: the correct formation 
means that Bob has already known Alice's response. 
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Theorem 1 Let a, x, y, n be as specified in the common input in Protocol SQ. The protocol has 
tlie following properties: 

Completeness There exists z € Z n and x,y € Z' n satisfying (14); for these values Bob will 
always accept Alice's proof; 

Soundness // (14) does not hold for the common input, then Alice, even computationally 

unbounded, cannot convince Bob to accept her proof with probability greater than ^ffi"- 1 . 2 

Zero-knowledge Bob gains no information about Alice's private input 
Proof y 

Completeness For any z 6 Z n , let x = a'fmod n), y = a*\mo& n) (both in the plus case). It 
is evident from inspection of the protocol that Bob will always accept Alice's proof. 
Soundness Suppose that (14) does not hold whereas Bob has accepted Alice's proof. 

The first congruence of (14) holds as a result of Lemma 1. So it is the second congruence of 
(14) that does not hold. Let f € Z* satisfy 



2 

V = ?«* (mod n) with Order n (£) > 2. (15) 

By asserting Order n (t) > 2 we exclude the cases for £ being any square root of 1, which consists 
of either ±1, or the other two roots which will render y £ J+(n). 

We only need to consider the case x s -cr(mod7i). The other case x s o*(modn) is 
completely analogous (and easier). 

Since Bob accepts the proof, he sees the following two congruences 

C = a r x*(modn), (16) 

R = x T y s (modn). (17) 

Examining (16), we see that C = o r (-x) 4 <= (a) if s is even, or -C = a r (-x)> € (a) if s is odd. 
So for either cases of s, we are allowed to re-write (16) into the following linear congruence with 
r and s as unknowns 

log,, ±C = r + sz (mod 2p'q') . 

For every case of s = 1, 2, • • • , 2p'q', this linear congruence has a value for r. This means that for 
any fixed C, (16) has exactly 2pfq' pairs of solutions. Each of these pairs will yield an R from 
(lfy Below we argue that for any two solution pairs from (16), which we denote by (r.s) and 
(r', s') t if gcd(s - s 1 , 2pV) < 2 then they must yield R £ BJ (mod n). Suppose on the contrary 

a r x a = C7 = a r V(modn), i.e., o"' = /-'(modn), (18) 

it also holds 

aY = R = R! = zV (mod n), i.e., x T ~ T ' s /-"(modn). (19) 
Using (18) and (15) with noticing x = -a z , we can transform (19) into 

(-l)fr-^*'-')) a l*V-*) l = x r-r> = y s's = ^) atl V-.)l (mod n)) 

2 Thc safe-prime structure of n implies p' w <f * yfi and hence this probability value is approximately 1/Vn. 
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which yields 

= (.ijlr-r'W-)] = ±i ( moc i n ) } i.e., = l (mod n). (20) 

Recall that Order n (£) > 2 which implies Order n {() being a multiple of ?/ or cf or both. However, 
^a/(»s' - s, 2p'</') < 2, i.e., gcd{2($' - 5), 2pV) = 2, so 2(5' - 5) cannot be such a multiple. 
Consequently (20) canuot hold and we reach a contradiction. 

For any 3 < 2p'f/, it's routine to check that there are 2f/ + 2<f - 2 cases of $' satisfying 
gcd{2{s t - 5), 2pV) > 2. Thus, if (14) does not hold, amongst 2p'q' possible R's matching the 
challenge C, there are in total 2j/ + 2<f - 1 of them (matching s and the other 2?/ + 2^-2 s's) 
that may collide to Bob's fixing of R. Even computationally unbounded, Alice will have at best 
^'ifry^ 1 P r °bability to have responded correctly. 

Zero-Knowledge Immediate (see Remark after the description of the protocol). □ 

4.2 Proof of Membership in L(a 7 t>n) 
For t > 1, we can express 2* as 

f = [2^ 2 >] 2 if t is even 

2 - j 2( 2 .(t-i)/2 + i] = [ 2 «-»/2]2 .2 if t is odd 

Copying this expression to the exponent position of a 2, (modn) T we can express 

2* / v ( a^ (f/2) ^ if t is even 

a (modn) = | (a(2(f _ I)/2))2 

In (21) we see that the exponent 2 l can be expressed as the square of another power of 2 
with t being halved in the latter. This observation suggests that repeatedly using SQ, we can 
demonstrate, in [log 2 1 J steps, that the discrete logarithm of an element is of the form 2*. This 
observation translates precisely into the protocol specified in Figure 2 which will terminate within 
log 2 t steps and prove the correct structure of a(t). The protocol is presented in three columns: 
the actions in the left column are performed by Alice, those in the right column, by Bob, and 
those in the middle, by the both parties. 

A run of M ember ship(a i t t a(t) i n) will terminate within [log 2 tj loops, and this is the com- 
pleteness property. The zero-knowledge property follows that of SQ. We only have to show the 
soundness property. 

Theorem 2 Let n = (2;/ + l)(2q' + 1) be an RSA modulus of a safe-prime structure, a G be 
of the full order 2pV, andt > 1. Upon acceptance termination o/Cert-£s/(M,a(*).n), relation 
a(t) = a 2 '(modn) holds with probability greater than 

[log 2 *J(2?/ + 2 g '-l) 

Proof Denote by 5Q(a,Xi,yi,7i) and by SQ(a y x 2y y 2l n) any two consecutive acceptance calls 
of SQ in Membership (so y } = a{t) in the first call, and x 2 - a 2 in the last call, of SQ in 
Membership, respectively). When t > 1. such two calls prove that there exists z: 

x 2 ^ ±G z (mod7i), y 2 = ±<r 2 (mod n) } (22) 
24 
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Membership(a,t,a(t),n) — 
Abort and reject if any checking by Bob fails, or accept upon termination. 



Alice 



While t> 1 do 
' y - «; 



Bob 

? ? 
u € J+(n); a ^ ±u (inodn) 



iftisodd: y= f a(t-l); 

x^a(L</2j); 
Sends z,y to Bob; 



Receives x, y from Alice; 
J + (n); 

if t is odd: y 2 = w (modn); 



SQ{a 9 x,y y n); 

def 
U ^ X] 

t= f [t/2\; 



When t = 1: 



tt = a 2 (mod n); 
Figure 2: Membership Proof Protocol 



and either 



or 



ij = y 2 = ±a z (mod n), = ±a x (mod n), 
X! = y\ = o 2l2 (mod n), j/j = ±a 4z4 (mod n). 



(23) 



(24) 

Upon t = 1, Bob further sees that x 2 = a 2 . By induction, the exponents z (resp. z 2 , Z 4 2z 2 
4z*) in all cases of ±a* (resp. in 2 ', • • ) in (22), (23) or (24) contain a single factor* 2, and the 
minus symbol disappears from (22), (23) and (24) since the even exponents imply all cases of x 
and y to be quadratic residues. So we can write a(t) = a 2 " (mod n) for some natural number u. 

Further note that each all of SQ causes an effect of having 2" square-rooted in the integers 
which is equivalent to having u halved in the integers. Thus, exactly [log 2 uj calls (and no more) 
of SQ can be made. But Bob has counted [log 2 1\ calls of SQ, therefore u = t. 

Each acceptance call of SQ has the correctness probability of 1 - ^.ffi" 1 . So after [log 2 i| 
acceptance calls of SQ, the probability for Adembership to be correct is 



Discussions 



□ 



i) It is obvious that by preparing all the intermediate values in advance, Membership can be 
run in parallel to save the [log 2 «J rounds of interactions. 
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ii) In our applications described in §3, we will always prove a H (t) e L(a c ,*> n) where e satisfies 
gcd{e, <l>(ri)) = 1 (i.e., e is an RSA encryption exponent). Thus, a e preserves the full order 
property to allow proper running of SQ and Membership. 

iii) In case of proving the correctness of a(t) with an intention for a reconstruction to be done 
in t squarings (e.g., reconstruction of a(£-l) to be done in t- 1 squarings), we should note 
that a run M ember $hip{a,t, a{t), n) has caused disclosure of a{[t/2\) for even t and a(t-l) 
for odd t. This disclosure allows the reconstruction to be done in t/2 or 0 squarings. respec- 
tively. To compensate the loss of computation, proof of a(2t) is necessary. Consequently, 
Membership(a J 2t y a{2t) t n) runs one loop more than Member ship(a y La(t),n) does. Note 
that this precaution is unnecessary for our applications in §3 because there it is the e-th 
root of the disclosed value that is needed but is not available still. 

4.3 Performance 

In each run of SQ, Alice (resp. Bob) performs one (resp. four) cxponentiation(s) mod n. So in 
Member ship{a,t } a{t) ,n) Alice (resp. Bob) will perform [log 2 tJ (resp. 4 [log 2 ^J) exponentiations 
mod n. These translate to 0(|tog 2 tJ(log 2 7i) 3 ) bit operations. 

In the LCS35 Time Capsule Crypto-Puzzle [10], t = 79685186856218 is a 47-bit binary num- 
ber. Thus the verification for that puzzle can be completed within 4 x 47 = 188 exponentiations 
mod n. 

The uumber of bits to be exchanged is measured by 0(([log 2 tJ)(log 2 n)). 

5 Membership Proof with General Modulus 

Now we show that our membership proof protocol can work with a modulus which is any odd 
composite integer provided it has two distinct prime factors (so factoring can be difficult). Our 
trick is to work with n 2 and prove 

a{t) £ L(a,t,n 2 ) 

where a{t) is constructed modulo n 2 (to be specified in (25) and (26) below). Once the above is 
proven, a(t) (modn) € L(a,* : n) results straightforwardly. 

We begin by presenting a lemma which observes an interesting property of elements in Z* 3 
where n is any odd composite integer with at least two distinct prime factors. (Paillier used 
the same group to have constructed new public-key cryptosystems [9], which docs not use our 
observation.) 

Lemma 2 Let n be any odd composite integer. For a randomly chosen integer u € Z* 2 , 

Pr[ n divides Orderly) ] > 

Proof See Appendix A. 
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Protocol 5Q2(a,x,y,7i) 

Iuput: Common: n: an odd composite integer with at least two distinct prime factors; 
[ a,i,!/6 2J 2 : x £ ±a (mod n 2 ) and % is in the orbit of a; 

Alice: z\ x = a*(mod n 2 )> y = a 22 (mod n 2 ); 

L Bob chooses at random r < ?i 2 , 0 < 71 2 , and sends to Alice: C a r ^(mod n 2 ); 

2. Alice sends to Bob: R d ^ C r (mod n 2 ) with a non-interactive proof R € (C); 

3. Bob accepts if R = x r y s (mod n 2 ), or rejects otherwise. 

Figure 3: Modified Building-Block Protocol 
5.1 Modified Membership Proof Protocol 

Let Alice have constructed a(t) (mod n 2 ). She can do so efficiently by the following two steps 

u^^mod^njn), (25) 

a(t) ^a tt (modn 2 ). (26) 

The building-block protocol SQ will be modified into 5Q2 in Figure 3 wlrich allows Alice to 
prove that a common input tuple (a, x, ?/, n) satisfies 

3z : x = a*(mod n 2 ) and y = a z *(mod n 2 ) (27) 

The modified protocol will require a G £*a to have an order divisible by n. By Lemma 2, if a is 
output from a pseudo random generator which is seeded with n and a publicly verifiable seed, 
then this will almost certainly be the case. This way of fixing a can be verified by Bob. Also, 
we assume that x is in the orbit of a (as will be clear in a moment, this will always be seen by 
Bob in his verification which applies 5Q2). Of course. Bob should check x £ ±a ( mod n 2 ) before 
engaging a verification run with Alice. 

Remark Besides the use of n 2 , SQ2 differs from SQ in Step 2 where Alice adds a proof of 
subgroup membership, which is very simple (see e.g., Stinson [12], pages 399-400) and can be 
made non-interactive. 

We only have to prove the soundness property for SQ2. 
Theorem 3 Let a,x,#,n be as specified in the common input of Protocol SQ2. The protocol 
has tlie following properties soundness property: 

Soundness // (27) does not hold for the common input values, then Alice cannot convince Bob 
to accept her proof with probability greater than n ~ftM +1 « 
Proof See Appendix A. 

3 For n being a standard USA modulus, i.e., product of two primes of roughly equal size, this probability value 
is « l/y/n. 
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Replacing SQ with SQ2 and n with n 2 , Membership is modified straightforwardly to working 
with n 2 . Upon acceptance, Bob sees that when t = 1, x has an initial value generated by a. By 
the soundness property of SQ2, y will have an initial value generated by a using a power of 2, 
which has been used as the value of x in a previous loop. By induction, this status (x G (a)) 
will be maintained as long as Bob has accepted each rim of SQ2. Thus after [log 2 1\ instances 
of acceptance of SQ2 y the modified Membership has a correctness probability greater than 

1 [I0g2*]("-<ft(tt) + l) 

n 

Finally we should recap that Bob's acceptance of a{t) € L(a,i,7i 2 ) implies his acceptance 
of a(t) (modn) € L(M,n). The timed-release encryption and signature schemes in §3 should 
remain working with modulo n, rather than n 2 . 

5.2 Performance 

In SQ2, the additional step for verifying the subgroup membership condition will require Bob to 
compute an additional modulo exponentiation, while Alice's load remains the same. So Bob will 
compute 5 modulo exponentiations mod n 2 . 

The use of a modulus of double size will result in a 8-fold increase in local computations. 
Thus, to prove (resp. verify) a(t) 6 L{a, t, n 2 ) using the modified membership proof protocol, 
Alice (resp. Bob) will perform 8([log 2 *J) (resp. (5 x 8)([log 2 *J)) exponentiations mod n. (These 
measurements have been converted to the modulo n operation.) 

6 Conclusion 

We have constructed general and efficient cryptographic protocol schemes for achieving timed- 
release cryptography which include timed-release encryption and timed-release signatures. These 
schemes have proven correctness on time control which can be fine tuned to the granularity in 
the number of multiplications. 

We have also shown that the use of n 2 can relax the stnictural requirement on n. This 
is an important observation which indicates that many RSA-based protocols which require the 
use of safe-prime structured moduli can be modified this way to working with standard moduli. 
Therefore this observation forms an independent contribution to the area of study. 
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A Proofs 

Lemma 2 Let n be any odd composite integer. For a randomly chosen integer u € Z* 2 , 

Pr[ n divides Order n *(u) ] > 

Proof Write n = UUiPV with P* (f ()r * = 1 * 2 >" "» r ) bein g distinct odd primes. Let i = 
l,2,--,r. 

For any a: € Z* 2 denote by x s G Z*2e f the result of x mod p? Ci . Then 2; € has an order 
divisible by n if and only if x» € Z* 2C| . has an order divisible by p*'". i.e.. the order is pfk for 

Pi 1 

In the cyclic group ^ p 2e,j, the number of elements of order pfk for k\^ipf) is tffik). 
Summing them up for all the cases of k, the number of such elements in the ^ p jt* j is 

The inequality meets the equation case only when ycd(<t>{n) } n) = 1 and thereby <f>(j)ik) = 
<f>{Pi)<f>{k). Thus, in 2T* 2 , the number of elements of orders divisible by n is at least 

nw) a =*(nrf) a -*w a - 

The claimed probability bound follows from the fact that Z* 2 has <f>(n)n elements. □ 

Theorem 3 Let a,z } T/,n be as specified in the common input of Protocol SQ2. The protocol 
has the following properties soundness property: 

Soundness // (27) does not hold for the common input values, then Alice cannot convince Bob 
to accept her proof with probability greater than 2=4jpl±l < 

Proof Suppose that (27) does not hold whereas Bob has accepted Alice's proof. Since x is in the 
orbit of a, so it is the second congruence of (27) that does not hold. We can denote z = log a x 
and 

3f #l:y = £a s *(modn 2 ). (28) 
Since Bob accepts the proof, he sees the following two congruences (noticing (28) with a; = a z ): 

C = aV = a r+ ^(modn 2 ), (29) 

R ee x r y s = a (r+ "> 5 £* = C^rood n z ). 
Since Alice has also proven R = C*(mod n 2 ) for some &, we derive 

C*- z = £ 5 (niodn 2 ). (30) 



4 For n being a standard RSA modulus, i.e., product of two primes of roughly equal size, this probability value 
is « 1/Vn. 
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On the other hand, in (29), log a C e (a) since x € (a), so writing Or~der n *(a) = in for some 
integer i\<f>{n), we are allowed to rewrite (29) into the following linear congruence 

loga C = r + $z (mod £n). 

For each case of s = 1, 2, • • • , £n, this linear congruence has a value for r, and so it has exactly 
in distinct solution pail's. Note that these pairs are solved from the fixed C } a, x } and so they 
are independent from k and the fixed z. So the right hand side of (30) is a constant for all cases 
of $ = 1, 2, • • • , in; in particular, for the cases of s = 1, 2, we have: 

l=f 2 - l =f (modn 2 ). 

This contradicts (28). 

Since we derive the contradiction on the condition that Re (C)> the probability for Alice's 
successful cheating is therefore the same as that for R & (C), i.e., the error probability of 
the subgroup membership proof (in Step 2). If Order n 2(C) is a multiple of n, then the latter 
probability is bounded by 1/n. Thus, using the result of Lemma 2, we have (note that Pr[E\F] 
denotes the conditional probability) 

Pr[Alice Cheats) = Pr[R $? {C)\Order n 2{C) > n]Pr[Order n 2(C) >n] + 
Pr[R <£ (C)\Order n *{C) < n]Pr[Order n 2{C) < n] 

< l/n + l.-»(n)/n^ W "^ n) + 1 . □ 

n 



31 



10/12/2006, EAST Version: 2.1.0.14 



CLAIMS 



1 . A method by which a first computing entity can verify to a second computing 
entity that a value a(t) provided by the first computing entity to the second computing 
entity is a member of the language, L(a,t,ri) where 

L{aXn) = {(a,t, a* (mocto)l' < n, gcd(a t n) = 1), where n is an odd composite integer 
having two distinct prime factors, a e Zri n of the foil order and t < n y in which the first 
computing entity sends a set of values to the second computing entity during a run of a 
procedure of a plurality of rounds, each round being carried out by the first and second 
computing entities with respect to three of said series of values, denoted a, x, y, and in 
which round the first computing entity proves to the second computing entity by way of a 

proof that there exists a k for which x = a 2 * (modn) and y = a (2 * y (modn), and which 
proof defines a new set of three values of the series by defining y = x if k in the current 
round is even ory = 4x (mod/i) if k in the current round is odd, 

this round of steps being successively repeated until the new set of values defined 
by a round of steps satisfy x « a 2 (modrt). 

2. The method of claim 1 in which the second computing entity verifies the values 
x and y received from the first computing entity e 

3. The method of claim 1 in which the second computing entity first verifies 
a(t) € and that a is not a ± w(modw). 
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4. The method of claim 1 in which the proof comprises the first computing entity 

selecting a value tjc s ± <?{mo&n\y a ± a* (mod*), the second computing entity 
choosing at random r < n, s < n and sending the value C = a Y(mod/i) to the first 
computing entity, the first computing entity sending to the second computing entity the 
value R = C(modn), and the second computing entity accepting the verification if, and 
only if, the received value R is s //(mod*). 

5. The method of claim 1, including the computer implemented first step of 
verifying by data exchanges with the computing entities that n is an odd composite of two 
distinct primes to a desired confidence level 

6. The method of claim 1 , including the computer implemented step of verifying 
a € Z* of the full order 

7. A method by which a computing entity can provide that an RSA ciphertext 
Af(modn) of a message M < n provided to another computing entity is verifiably 
decryptable in time t, where n=p.q,p and q being two distinct odd primes and e is 
relatively prime to $(n)> the method comprising the computer implemented steps of: 

a) forming a(t) = a* (mod n) and a\i) = (a(/)) e (mod/i), a not s ± 1 (modw) and 
being a random element in Z* ; 

b) forming TE{M,t) « a{t) M(mod*), 

c) sending the tuple (TE{M,t) y a\t\ e,a,t,n) to the other computer entity. 
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8. The method of claim 7 wherein the other computing entity on receiving the tuple 
from the computing entity verifies that the RSA ciphertext m(modn) is decryptable from 
TE(M f t) in time t by confirming a e (t)e L(a e Xn) by the method of any one of claims 1 to 
10 and by confirming TE(M t t) e = a\t)Af(modn). 

9. A method by which a computing entity can provide that an RSA signature 
jW^mod/i) on a message M< n provided to another computer entity is verifiably 
releasable in time t y where n = p.q^p and q being distinct odd primes and d is relatively 
prime to ^(«), the method comprising the computer implemented steps of: 

a) forming a(t) = a* (mod*) and a\t) = (a(t))\moin)\ a not being s ± l(modw) and 
being a random element inZ* ; 

b) forming TS(M,t) = a(/)Mniocbi); 

c) sending the tuple (A/,7S(m,/), a e (f) 7 e t a,t,n) to the other computing entity. 

1 0. The method of claim 9 wherein the other computing entity on receiving the tuple 
from the computing entity verifies that the RSA signature A^(mocto) can be obtained 
from TS(M,t) in time / by confirming a\t) € L(a e ,t,n) by the method of any one of claims 
1 to 10 and by confirming TE(M t t) e s a e (t)Af(modn). 

11. A computing entity comprising: 
a data processing equipment 

a memory; and 

a communications equipment, 
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said data processing equipment being configured so as to be capable of processing data 
according to a set of instructions stored in said memory; 

said communications equipment configured so as to communicate data according to said 
set of instructions; 

said set of instructions being such as to configure the computing entity to be capable of 
carrying out the computer implemented steps of the first computing entity of claim 1. 

12. A computing entity comprising: 
a data processing equipment 

a memory; and 

a communications equipment, 

said data processing equipment being configured so as to be capable of processing data 
according to a set of instructions stored in said memory; 
i said communications equipment configured so as to communicate data according to said 
set of instructions; 

said set of instructions being such as to configure the computing entity to be capable of 
carrying out the computer implemented steps of the second computing entity of claim 1. 

13. A communication system including a system of at least co-operating computing 
entities one of each as claimed in claims 1 1 and 12 which are able to exchange data by 
way of a communications medium, and in which said communications medium includes 
one or more of any of the internet, local area network, wide area network, virtual private 
circuit or public telecommunications network. 
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» 14. A computer storage medium having stored thereon a computer program readable 

by a general-purpose computer, the computer program including instructions for said 
general purpose computer to configure it to be as the computing entity of claim 1 1 or 12. 
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